Analysis Report DHL Original Receipt_pdf.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Exfil Mode": "SMTP", "SMTP Info": "coco@gmicaprelam.incoco2424@gmicaprelam.in"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 4 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
Networking: |
---|
Sigma detected: MSBuild connects to smtp port | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | Code function: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
System Summary: |
---|
.NET source code contains very large array initializations | Show sources |
Source: | Large array initialization: |
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources |
Source: | Function Chain: | ||
Source: | Function Chain: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | File opened / queried: |
Source: | Thread delayed: |
Source: | Window / User API: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: |
Writes to foreign memory regions | Show sources |
Source: | Memory written: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | ||
Source: | File opened: |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Path Interception | Access Token Manipulation1 | Disable or Modify Tools11 | OS Credential Dumping2 | File and Directory Discovery2 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
Default Accounts | Native API11 | Boot or Logon Initialization Scripts | Process Injection212 | Deobfuscate/Decode Files or Information1 | Credentials in Registry1 | System Information Discovery116 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Encrypted Channel1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Standard Port1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | Security Software Discovery121 | Distributed Component Object Model | Clipboard Data1 | Scheduled Transfer | Non-Application Layer Protocol1 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion141 | LSA Secrets | Process Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol11 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Access Token Manipulation1 | Cached Domain Credentials | Virtualization/Sandbox Evasion141 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Process Injection212 | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
30% | Virustotal | Browse | ||
41% | ReversingLabs | Win32.Trojan.AgentTesla | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
gmicaprelam.in | 85.187.128.34 | true | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
85.187.128.34 | gmicaprelam.in | United States | 55293 | A2HOSTINGUS | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 433258 |
Start date: | 11.06.2021 |
Start time: | 14:49:19 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | DHL Original Receipt_pdf.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.spre.troj.spyw.evad.winEXE@3/4@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
14:50:22 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
85.187.128.34 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
gmicaprelam.in | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
A2HOSTINGUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsvDCD7.tmp\System.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\DHL Original Receipt_pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 322013 |
Entropy (8bit): | 7.48504577375667 |
Encrypted: | false |
SSDEEP: | 6144:8S85eJ8UxDlFbNvsxgCCAo0BuWKJE5285RLk5fO20OIesyN6Y2it:785fQFbXCfwDKTImdOIINQS |
MD5: | CFDD4CCF7F714F82444F81B771F81F5A |
SHA1: | CBA5F09C9F6466E2E159721D95A98C45521ACA30 |
SHA-256: | 599B93F8209DEC77381A7EBD384369BF46974C38604BFD2689E5677E6C984C0A |
SHA-512: | F21F28DB62BFBF8E0212531FF13C96C3C9D872D5EDC5F0AA5EFD94E7D6E3C496F3534F5F36E3908EB2A11F9B037C24DDF8F550997FC21CF5735222595FA589C1 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\DHL Original Receipt_pdf.exe |
File Type: | |
Category: | modified |
Size (bytes): | 11776 |
Entropy (8bit): | 5.855045165595541 |
Encrypted: | false |
SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\DHL Original Receipt_pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60209 |
Entropy (8bit): | 4.971325407303197 |
Encrypted: | false |
SSDEEP: | 1536:5BgIe8ZXI1WsPrkvnDgpZdAk39T9ry6/zFkjpaD7lNTfa3D:5BgIe8ZtWkLgb+kNN/ya9N23D |
MD5: | 9E2895F6220DC4CA141D4C52B949C915 |
SHA1: | 6FB2FB7F7FEDD604545A1F91B50AFFEFF6286278 |
SHA-256: | 6E1FEDDECB4F11F73B42F8004BD8D6B3E22C67FDC58A80B3D87A24F11F876D79 |
SHA-512: | 58BD0A7BBA74306B9F5C11136E26C9BA6E7C9E9D1DF60163FE8D7DD919ECD5C2CA735A7B667043C1F31CFC6E67780875BEADA5A95919854E7ECB8F918C5F1AFA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\DHL Original Receipt_pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 220672 |
Entropy (8bit): | 7.999008107054153 |
Encrypted: | true |
SSDEEP: | 6144:i85eJ8UxDlFbNvsxgCCAo0BuWKJE5285RLk5fO20N:i85fQFbXCfwDKTImdN |
MD5: | F17CDB23A72208A0CC23C168F8D13A62 |
SHA1: | DB703E287110E72E71CF91E856742C3AB2B8F832 |
SHA-256: | 2608F735EEBB0A24D76CF467C3AFB1AAFC50D44B366DFD9757CB78285338EF5A |
SHA-512: | 0C25ECF6DCA780A1E83D2B6B80392709EF9208818258A6D3E371ACD52E4997D32045F2CCA2103ADEC9DA9323706F4E48B920164EB8622D493720DF97D865EF94 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.94012628065006 |
TrID: |
|
File name: | DHL Original Receipt_pdf.exe |
File size: | 282745 |
MD5: | c376cef609a18260213571d06233ba20 |
SHA1: | 72523a0124ddd34ce6fa21901b4648311ae04b72 |
SHA256: | c42b7b1630553baa3aeb65e40b04244910822c175e9b6cb3f7f365264171196b |
SHA512: | 0691af013f3012b999c69ef1331b011798a8b6802d6a91fba370a78a1d9dbb57dab2c1aaab1e3d89611fd0e64577640eaed9334d153b601418b9f5ed8ba845a2 |
SSDEEP: | 6144:Ds9aphdmtsKdoFHOxDW+s6IVlzINDQCzvDj:yaphUtToFHSTs6IVl4QqvDj |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\......... |
File Icon |
---|
Icon Hash: | b2a88c96b2ca6a72 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40323c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 099c0646ea7282d232219f8807883be0 |
Entrypoint Preview |
---|
Instruction |
---|
sub esp, 00000180h |
push ebx |
push ebp |
push esi |
xor ebx, ebx |
push edi |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409130h |
xor esi, esi |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [00407030h] |
push 00008001h |
call dword ptr [004070B4h] |
push ebx |
call dword ptr [0040727Ch] |
push 00000008h |
mov dword ptr [00423F58h], eax |
call 00007F21D888D09Eh |
mov dword ptr [00423EA4h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 00000160h |
push eax |
push ebx |
push 0041F458h |
call dword ptr [00407158h] |
push 004091B8h |
push 004236A0h |
call 00007F21D888CD51h |
call dword ptr [004070B0h] |
mov edi, 00429000h |
push eax |
push edi |
call 00007F21D888CD3Fh |
push ebx |
call dword ptr [0040710Ch] |
cmp byte ptr [00429000h], 00000022h |
mov dword ptr [00423EA0h], eax |
mov eax, edi |
jne 00007F21D888A49Ch |
mov byte ptr [esp+14h], 00000022h |
mov eax, 00429001h |
push dword ptr [esp+14h] |
push eax |
call 00007F21D888C832h |
push eax |
call dword ptr [0040721Ch] |
mov dword ptr [esp+1Ch], eax |
jmp 00007F21D888A4F5h |
cmp cl, 00000020h |
jne 00007F21D888A498h |
inc eax |
cmp byte ptr [eax], 00000020h |
je 00007F21D888A48Ch |
cmp byte ptr [eax], 00000022h |
mov byte ptr [eax+eax+00h], 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a4 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x9e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x28c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5a5a | 0x5c00 | False | 0.660453464674 | data | 6.41769823686 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1190 | 0x1200 | False | 0.4453125 | data | 5.18162709925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1af98 | 0x400 | False | 0.55859375 | data | 4.70902740305 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x24000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x2c000 | 0x9e0 | 0xa00 | False | 0.45625 | data | 4.51012867721 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x2c190 | 0x2e8 | data | English | United States |
RT_DIALOG | 0x2c478 | 0x100 | data | English | United States |
RT_DIALOG | 0x2c578 | 0x11c | data | English | United States |
RT_DIALOG | 0x2c698 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x2c6f8 | 0x14 | data | English | United States |
RT_MANIFEST | 0x2c710 | 0x2cc | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 14:51:45.072550058 CEST | 49741 | 587 | 192.168.2.7 | 85.187.128.34 |
Jun 11, 2021 14:51:45.285763025 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 |
Jun 11, 2021 14:51:45.285872936 CEST | 49741 | 587 | 192.168.2.7 | 85.187.128.34 |
Jun 11, 2021 14:51:45.363347054 CEST | 49741 | 587 | 192.168.2.7 | 85.187.128.34 |
Jun 11, 2021 14:51:45.575809956 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 |
Jun 11, 2021 14:51:45.879563093 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 |
Jun 11, 2021 14:51:45.879584074 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 |
Jun 11, 2021 14:51:45.879659891 CEST | 49741 | 587 | 192.168.2.7 | 85.187.128.34 |
Jun 11, 2021 14:51:45.879719019 CEST | 49741 | 587 | 192.168.2.7 | 85.187.128.34 |
Jun 11, 2021 14:51:45.880007029 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 |
Jun 11, 2021 14:51:45.880070925 CEST | 49741 | 587 | 192.168.2.7 | 85.187.128.34 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 14:50:03.970153093 CEST | 60501 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:04.022927999 CEST | 53 | 60501 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:05.271083117 CEST | 53775 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:05.331259012 CEST | 53 | 53775 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:05.509639978 CEST | 51837 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:05.562283993 CEST | 53 | 51837 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:07.053287983 CEST | 55411 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:07.106240034 CEST | 53 | 55411 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:07.947521925 CEST | 63668 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:08.000457048 CEST | 53 | 63668 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:09.659204006 CEST | 54640 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:09.718081951 CEST | 53 | 54640 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:10.716550112 CEST | 58739 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:10.768404007 CEST | 53 | 58739 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:11.632167101 CEST | 60338 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:11.682315111 CEST | 53 | 60338 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:13.136790991 CEST | 58717 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:13.188839912 CEST | 53 | 58717 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:14.307034016 CEST | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:14.358202934 CEST | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:15.674252033 CEST | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:15.724384069 CEST | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:16.529716969 CEST | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:16.581316948 CEST | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:19.642965078 CEST | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:19.696402073 CEST | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:20.816371918 CEST | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:20.868047953 CEST | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:22.513458967 CEST | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:22.563913107 CEST | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:23.931505919 CEST | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:23.981811047 CEST | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:24.723751068 CEST | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:24.778749943 CEST | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:25.568948030 CEST | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:25.619395018 CEST | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:26.429560900 CEST | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:26.479810953 CEST | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:27.385308027 CEST | 54911 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:27.435691118 CEST | 53 | 54911 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:28.757097960 CEST | 49958 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:28.810391903 CEST | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:30.982116938 CEST | 50860 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:31.054970026 CEST | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:47.171866894 CEST | 50452 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:47.244918108 CEST | 53 | 50452 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:50:59.193712950 CEST | 59730 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:50:59.252208948 CEST | 53 | 59730 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:11.857003927 CEST | 59310 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:11.919362068 CEST | 53 | 59310 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:12.697503090 CEST | 51919 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:12.759356022 CEST | 53 | 51919 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:13.449784040 CEST | 64296 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:13.509474039 CEST | 53 | 64296 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:13.950711966 CEST | 56680 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:14.012115002 CEST | 53 | 56680 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:14.184889078 CEST | 58820 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:14.243599892 CEST | 53 | 58820 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:14.583158016 CEST | 60983 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:14.635221004 CEST | 53 | 60983 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:15.219150066 CEST | 49247 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:15.281971931 CEST | 53 | 49247 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:15.743913889 CEST | 52286 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:15.805583954 CEST | 53 | 52286 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:16.803013086 CEST | 56064 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:16.856020927 CEST | 53 | 56064 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:18.288245916 CEST | 63744 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:18.338809967 CEST | 53 | 63744 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:19.901808977 CEST | 61457 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:19.960262060 CEST | 53 | 61457 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:27.433022976 CEST | 58367 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:27.491926908 CEST | 53 | 58367 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:44.978660107 CEST | 60599 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:45.042718887 CEST | 53 | 60599 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:56.938347101 CEST | 59571 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:57.011588097 CEST | 53 | 59571 | 8.8.8.8 | 192.168.2.7 |
Jun 11, 2021 14:51:58.344716072 CEST | 52689 | 53 | 192.168.2.7 | 8.8.8.8 |
Jun 11, 2021 14:51:58.416363955 CEST | 53 | 52689 | 8.8.8.8 | 192.168.2.7 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 11, 2021 14:51:44.978660107 CEST | 192.168.2.7 | 8.8.8.8 | 0x95d8 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 11, 2021 14:51:45.042718887 CEST | 8.8.8.8 | 192.168.2.7 | 0x95d8 | No error (0) | 85.187.128.34 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jun 11, 2021 14:51:45.879563093 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 | 220-sg1-ts2.a2hosting.com ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 20:51:45 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jun 11, 2021 14:51:45.879584074 CEST | 587 | 49741 | 85.187.128.34 | 192.168.2.7 | 421 sg1-ts2.a2hosting.com lost input connection |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 14:50:12 |
Start date: | 11/06/2021 |
Path: | C:\Users\user\Desktop\DHL Original Receipt_pdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 282745 bytes |
MD5 hash: | C376CEF609A18260213571D06233BA20 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 14:50:13 |
Start date: | 11/06/2021 |
Path: | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xce0000 |
File size: | 69632 bytes |
MD5 hash: | 88BBB7610152B48C2B3879473B17857E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|